Sophos Cloud Optix
A little over a week since Apple released iOS 5, I thought I would review some of the new functionality and security on the platform in general.
I began by revisiting the encryption Apple promises and whether they have fixed the issue that I first wrote about in May 2010.
According to the “iPad in Business: Security” document on Apple’s website:
“iPad provides hardware encryption for all data stored on the device, and additional encryption of email and application data with enhanced data protection.”
This type of misleading statement shows how the specific meaning of a statement might imply that all of your data is protected where the reality is the devil is in the implementation details.
iOS 5 devices have the exact same implementation flaw of the AES 256 encryption as iOS 4. While the data is encrypted, iOS provides unfettered access without knowing the passcode or posessing the encryption keys.
All media (photos, videos, sound recordings and music) can be accessed from a computer that can speak Apple’s control protocol without any authentication, even if the device is locked.
Another issue that has come to light this week is the ability to bypass the lock screen on an iPad 2 using a Smart Cover.
9 to 5 Mac have published a video demonstrating the technique which is quite trivial to do.
Fortunately, there is a workaround and iPad 2 users can change their settings to disable auto-unlock when opening the Smart Cover.
In addition to Siri being enabled by default when the device is locked, there is another similar related flaw.
The website MacNotes.DE wrote an article describing how to make unauthorized outgoing phone calls with someone’s locked iPhone with iOS 5. You can make a call without unlocking if you have a missed call notification.
If you were to forge your caller ID (somewhat trivial for VoIP users) you could call someone’s iPhone with a number you wanted to call out to and then just tap the screen to dial the number.
I hope Apple is taking note and updates iOS to resolve these issues soon.
None of these issues are catastrophic, but all of them raise concerns for data loss and require iPhone/iPad users to pay extra attention to who physically has access to their devices.
You would ALWAYS want to be careful about who has physical access to your devices. Get real.
Hi there
You said:
Fortunately, there is a workaround and iPad 2 users can change their settings to disable auto-unlock when opening the Smart Cover.
So what is the workaround?
Thanks
Munaiba
Upgrade?
@Munaiba – That is the workaround: iPad 2 users can change their settings to disable auto-unlock when opening the Smart Cover…
Re Tkin's comment, yes you should be careful about physical security, but the primary purpose of encrypting data at rest is to mitigate the risk of physical theft. The same issues don't apply to other platforms (e.g. Blackberry), Chester is (IMHO) entirely reasonable to expect Apple to fix them.
Has Apple offered any sort of solution why all media is seemingly unprotected?
Seems most private users would be just as concerned about keeping their images private, as they would be with emails and the like.
Wow, asleep at the wheel. Has Apple offered any sort of EXPLANATION for why all media is seemingly unprotected?
There. Hopefully that's the last of todays' brainfarts.